Data Processing Agreement
This Data Processing Agreement ("DPA") is incorporated by reference into the Terms of Service between [COMPANY_NAME] ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the Sofibia platform ("Service").
This DPA forms part of and is subject to the Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
1. Definitions
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data under this DPA, including (as applicable): the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"); the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR"); and any other applicable data protection or privacy law.
"Controller" means the Customer who determines the purposes and means of the processing of Personal Data.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
"Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Service.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Processing" (and "process") means any operation or set of operations performed on Personal Data, whether or not by automated means.
"Processor" means [COMPANY_NAME], which processes Personal Data on behalf of the Controller.
"Restricted Transfer" means a transfer of Personal Data to a third country (outside the EEA/UK) that does not have an adequate level of protection under Applicable Data Protection Law.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission under Decision (EU) 2021/914 (or any successor clauses), and/or the International Data Transfer Addendum issued by the UK Information Commissioner's Office, as applicable.
"Sub-Processor" means any processor engaged by the Processor to carry out processing activities on behalf of the Controller.
All other capitalized terms used but not defined in this DPA have the meaning given to them in the Terms of Service.
2. Roles of the Parties
2.1 Independent Controllers
For personal data relating to the Controller's own User accounts (User names, email addresses, passwords, roles, billing information), each party acts as an independent data controller in accordance with its own Privacy Policy.
2.2 Controller and Processor
For Respondent Personal Data (feedback content, Respondent names, emails, and other information collected through the Controller's feedback forms and processed by the Service on the Controller's behalf), the parties agree that:
- The Controller is the data controller, determining the purposes and means of processing.
- The Processor is the data processor, processing Personal Data only on documented instructions from the Controller.
2.3 Compliance
Each party is individually responsible for complying with its obligations under Applicable Data Protection Law in its respective role.
3. Details of Processing
See Annex I for the full details of processing, including subject matter and duration, nature and purpose of processing, types of Personal Data, and categories of Data Subjects.
4. Controller's Obligations
The Controller shall:
- Ensure that it has a lawful basis under Applicable Data Protection Law to collect, transfer, and direct the processing of Personal Data by the Processor.
- Ensure that Respondents and other Data Subjects have been informed about how their Personal Data will be processed, including that it will be processed by an AI service and transmitted to the Processor and its Sub-Processors.
- Provide all necessary notices and obtain all necessary consents (including for the collection of voice recordings) required under Applicable Data Protection Law before collecting Personal Data through the Service.
- Ensure that instructions given to the Processor comply with Applicable Data Protection Law.
- Promptly inform the Processor if it becomes aware of a Personal Data Breach involving Personal Data processed under this DPA.
- Be responsible for ensuring the accuracy, quality, and legality of the Personal Data it submits to the Service.
- Not instruct the Processor to process Personal Data in a manner that would violate Applicable Data Protection Law.
5. Processor's Obligations
5.1 Processing on Instructions
Process Personal Data only on documented instructions from the Controller, including with regard to Restricted Transfers, unless required to do so by applicable law. In such case, the Processor shall inform the Controller of the legal requirement before processing unless that law prohibits disclosure.
5.2 Confidentiality
Ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.
5.3 Security
Implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. See Annex II.
5.4 Sub-Processors
Not engage Sub-Processors without prior general written authorization of the Controller (this DPA constitutes such authorization for the Sub-Processors listed in Annex III). Engage Sub-Processors under a binding agreement that imposes equivalent data protection obligations.
5.5 Assistance with Data Subject Rights
Assist the Controller in fulfilling its obligations to respond to Data Subjects' requests to exercise their rights under Applicable Data Protection Law, taking into account the nature of the processing.
5.6 Assistance with Security and Compliance
Assist the Controller in ensuring compliance with its obligations under Articles 32–36 of the GDPR (security, data breach notification, DPIAs, prior consultation), taking into account the nature of the processing and information available to the Processor.
5.7 Deletion and Return
At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage. See Section 15.
5.8 Audit
Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or its appointed auditor.
6. Sub-Processing
6.1 Authorized Sub-Processors
The Controller grants general authorization for the Processor to engage the Sub-Processors listed in Annex III. The Processor will ensure all Sub-Processors are bound by data protection agreements at least as protective as this DPA.
6.2 Changes to Sub-Processors
The Processor shall notify the Controller of any intended addition or replacement of Sub-Processors by updating Annex III and providing at least 30 days' prior notice to the Controller (via email or in-Service notification).
6.3 Objection to Sub-Processors
The Controller may object to a new Sub-Processor within 14 days of notice by sending a written objection to privacy@sofibia.com specifying reasonable grounds based on data protection concerns. The Processor shall work in good faith with the Controller to resolve the objection. If the parties cannot agree within a reasonable time, either party may terminate the portion of the Services that requires the use of the objected Sub-Processor.
6.4 Liability
The Processor remains fully liable to the Controller for the performance of Sub-Processors' data protection obligations to the extent the Processor is liable under Applicable Data Protection Law.
7. Data Transfers
7.1 Processing Locations
Personal Data is processed primarily in the United States (Google Cloud Platform infrastructure). See Annex I for processing locations.
7.2 Restricted Transfers — EEA/UK/Switzerland
For transfers of Personal Data from the EEA, UK, or Switzerland to the United States or other third countries without an adequacy decision, the parties rely on the following transfer mechanisms:
(a) Standard Contractual Clauses (EEA to US): The parties agree that the EU SCCs (Commission Implementing Decision (EU) 2021/914, Modules as applicable) are incorporated by reference into this DPA and apply to the processing of EEA Personal Data. Where the Controller is established in the EEA and the Processor processes data in the US, Module 2 (Controller to Processor) applies. The SCCs are completed as follows:
- Clause 7 (Docking Clause): applies.
- Clause 9: Option 2 (General Written Authorisation) applies; 30 days' notice for changes.
- Clause 11: the optional language on DSB assistance does not apply.
- Clause 17: the SCCs are governed by the law of [EU_MEMBER_STATE].
- Clause 18: disputes are submitted to the courts of [EU_MEMBER_STATE].
- Annexes I, II, III of the SCCs are completed as per the corresponding Annexes of this DPA.
(b) UK International Data Transfer Addendum: For transfers from the United Kingdom, the parties incorporate the UK IDTA issued by the UK ICO (or the UK Addendum to the EU SCCs), completed in line with Annex I and Annex II of this DPA.
(c) Swiss Data Transfers: For transfers from Switzerland, the EU SCCs as described above apply with necessary modifications to reflect Swiss data protection law (Federal Act on Data Protection, "FADP").
(d) EU-U.S. Data Privacy Framework: To the extent Processor or its Sub-Processors are certified under the EU-U.S. Data Privacy Framework, UK Extension, or Swiss-U.S. Data Privacy Framework, the parties may rely on such certification as an additional transfer mechanism.
7.3 Sub-Processor Transfers
The Processor shall ensure that any Restricted Transfers to Sub-Processors are made under the SCCs, equivalent adequacy mechanisms, or binding corporate rules.
8. Security Measures
The Processor shall implement and maintain the technical and organizational security measures described in Annex II. The Controller acknowledges that security measures must balance protection against usability and cost, and that no measure guarantees absolute security.
9. Data Breach Notification
9.1 Notice to Controller
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notice shall include (to the extent known at the time):
- A description of the nature of the breach.
- Categories and approximate number of Data Subjects affected.
- Categories and approximate number of Personal Data records concerned.
- Name and contact details of the data protection contact.
- Likely consequences of the breach.
- Measures taken or proposed to address the breach.
Where complete information is not available within 72 hours, the Processor shall provide a preliminary notice and follow up with additional details as they become available.
9.2 Controller's Obligations
The Controller is solely responsible for assessing whether a Personal Data Breach requires notification to supervisory authorities or Data Subjects under Articles 33–34 GDPR, notifying the relevant supervisory authority within 72 hours, and notifying affected Data Subjects where required.
9.3 Assistance
The Processor shall provide reasonable assistance to the Controller in connection with the Controller's notification and communication obligations.
10. Data Subject Rights Assistance
Upon receipt of a Data Subject request forwarded by the Controller, the Processor shall promptly assist the Controller in providing access to, correcting, deleting, restricting, or exporting the relevant Personal Data, as technically feasible. Where the Processor receives a Data Subject request directly, it shall forward such request to the Controller and shall not respond to the Data Subject directly unless the Controller has authorized it to do so.
The Processor may charge a reasonable fee for assistance beyond what is reasonably expected in the course of providing the Service.
11. Data Protection Impact Assessments
The Processor shall provide reasonable assistance to the Controller for any Data Protection Impact Assessment (DPIA) or prior consultation with a supervisory authority (Article 35–36 GDPR) required in connection with the processing under this DPA. Such assistance is limited to information available to the Processor about the processing, its sub-processors, and its security measures.
12. Records of Processing Activities
The Processor shall maintain records of all categories of processing activities carried out on behalf of the Controller, as required by Article 30(2) GDPR, including information about the Processor and any Sub-Processors, categories of processing carried out on behalf of each Controller, international transfers and applicable transfer mechanisms, and security measures implemented. The Processor shall make such records available to supervisory authorities upon request.
13. Audit Rights
13.1 Information and Audit
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA upon written request, and allow the Controller or its appointed auditor to conduct audits or inspections, subject to:
- At least 30 days' prior written notice (except in the case of a Personal Data Breach).
- Agreement on reasonable timing to minimize disruption to Processor operations.
- The audit being conducted during business hours and no more than once per calendar year.
- The auditor signing a reasonable confidentiality agreement.
13.2 Audit Reports
The Controller may satisfy its audit right by requesting and reviewing the Processor's most recent third-party security audit report (e.g., SOC 2 Type II, ISO 27001 certification), where available, instead of conducting its own audit.
13.3 Costs
The Controller shall bear the costs of any audit it conducts. The Processor may charge reasonable costs for assistance provided beyond what is included in the ordinary course of the Service.
14. Confidentiality
All Personal Data processed under this DPA is treated as confidential. The Processor's obligations under this DPA supplement (and do not replace) any confidentiality obligations set out in the Terms of Service.
15. Term and Termination
15.1 Duration
This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller under the Terms of Service.
15.2 Effect of Termination
Upon termination or expiry of the Terms of Service, or upon request by the Controller:
- The Processor shall cease all processing of Respondent Personal Data within 30 days.
- At the Controller's choice (expressed in writing within 14 days of termination), the Processor shall either delete all Respondent Personal Data from its systems (including Sub-Processors), or return the Personal Data to the Controller in a commonly used, machine-readable format (e.g., CSV, JSON).
- Within 60 days of termination, the Processor shall provide written confirmation that all Respondent Personal Data has been deleted or returned.
- The Processor may retain Personal Data for the minimum period required by applicable law, provided it restricts processing to what is strictly necessary for that purpose and implements additional safeguards.
16. Liability and Indemnification
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, to the extent permitted by Applicable Data Protection Law.
Each party shall be liable to the other for any damage caused by a breach of this DPA attributable to that party, subject to the liability cap in the Terms of Service.
Where a supervisory authority or court imposes a fine or award on one party for a breach attributable to the other party, the responsible party shall indemnify the first party for such amount, subject to the Terms of Service.
17. Governing Law
This DPA is governed by the same governing law as the Terms of Service, except that for processing of EEA Personal Data, the SCCs are governed by the law of [EU_MEMBER_STATE] as stated in Section 7.2, and for processing of UK Personal Data, the UK IDTA and related provisions are governed by English law.
18. General Provisions
This DPA is incorporated into and forms part of the Terms of Service. Capitalized terms used herein and not otherwise defined have the meanings given in the Terms of Service.
In the event of any inconsistency between this DPA and the Terms of Service in matters relating to data protection, this DPA shall prevail.
Both parties agree to cooperate in good faith to amend this DPA if required by a supervisory authority, legal opinion, or change in applicable law.
The Controller may execute and deliver this DPA by accepting the Terms of Service (which incorporate this DPA by reference). No wet-ink or physical signature is required.
Annex I — Details of Processing
A. List of Parties
| Role | Party | Address | Contact |
|---|---|---|---|
| Controller | Customer (as identified in the Customer's account) | As registered | Account email |
| Processor | [COMPANY_NAME] | [COMPANY_ADDRESS] | privacy@sofibia.com |
B. Description of Processing
| Field | Details |
|---|---|
| Subject matter | Processing of personal data relating to Respondents who submit feedback through the Controller's forms; processing of personal data of the Controller's Users necessary to operate the Service |
| Duration | For the duration of the Terms of Service, plus up to 30 days post-termination (retention period) |
| Nature of processing | Collection, storage, organization, structuring, retrieval, use, transmission (to Sub-Processors for AI analysis), analysis, erasure, and destruction of Personal Data |
| Purpose of processing | To provide the Sofibia Service: (1) storing feedback submitted to the Controller's forms; (2) AI-powered analysis of feedback content; (3) generating semantic embeddings and clustering analysis; (4) providing analytics and insights to the Controller |
C. Types of Personal Data
| Category | Examples |
|---|---|
| Respondent identification data | Name, email address (only if Respondent opts to share identity) |
| Respondent feedback content | Free-text feedback, voice recording (temporarily during transcription), transcribed text |
| Respondent technical data | User-Agent string (browser and device type) |
| Respondent authentication data | Hashed Google account sub identifier (for deduplication on public forms; stored as hash only) |
| AI analysis outputs | Sentiment classification, emotional trait, intent classification, actionability label, AI-generated summary |
| Semantic analysis data | Individual sentences extracted from feedback; vector embeddings (numeric representations) |
| User account data (Controller's staff) | Name, email, role, authentication credentials (password hash; Google OAuth identifiers) |
| Audit log data | User ID, action type, timestamp (retained 7 days) |
D. Categories of Data Subjects
| Category | Description |
|---|---|
| Respondents | Customers, end-users, or members of the public who submit feedback through forms created by the Controller |
| Users (Controller's staff) | Employees, contractors, or agents of the Controller who use the Service to manage feedback |
E. Processing Location
| Location | Infrastructure | Provider |
|---|---|---|
| United States | Cloud Run (compute), Cloud SQL (database), MemoryStore (cache/session) | Google Cloud Platform |
| United States | AI text analysis and embedding API | OpenAI, L.L.C. |
| United States | AI text analysis API | Anthropic, PBC |
| United States | Subscription billing, checkout, customer portal, webhooks | Lemon Squeezy |
Annex II — Technical and Organizational Security Measures
Access Controls
| Measure | Implementation |
|---|---|
| Authentication | Multi-factor authentication available for administrative access; strong password policy enforced |
| Password storage | BCrypt hashing — passwords never stored in plaintext |
| Session management | Short-lived JWT access tokens (15-minute TTL); refresh tokens (30-day TTL) stored server-side with automatic expiration |
| Account lockout | Automatic lockout after repeated failed login attempts |
| Role-based access | Users assigned roles (Owner, Admin, User); access enforced at API level |
| Principle of least privilege | Service components access only the data and systems required for their function |
| Impersonation controls | Support staff impersonation requires a time-limited, one-time-use token; tracked in audit logs; session stored separately from regular sessions |
Data Isolation
| Measure | Implementation |
|---|---|
| Multi-tenant isolation | All tenant data isolated at the database level using tenant_id foreign keys; queries automatically scoped to the requesting tenant |
| No cross-tenant data access | Tenant context extracted from JWT and enforced at application layer |
Encryption
| Measure | Implementation |
|---|---|
| Encryption in transit | All communications between clients and servers use TLS/HTTPS |
| Encryption at rest | Google Cloud SQL and MemoryStore encrypt data at rest using AES-256 by default |
| Token storage | JWT tokens stored server-side, protected by password authentication |
Audit and Monitoring
| Measure | Implementation |
|---|---|
| Audit logging | Login, logout, and administrative actions logged with user ID, tenant ID, event type, and timestamp |
| Audit log retention | 7 days; automatically deleted to minimize data retention |
| Infrastructure monitoring | Google Cloud infrastructure monitoring and alerting |
Vulnerability Management
| Measure | Implementation |
|---|---|
| Dependency management | Regular updates of software dependencies |
| Rate limiting | API endpoints rate-limited at infrastructure level (10 req/s for API, 5 req/s for public forms) |
| Input validation | All user inputs validated at API boundary |
| CORS | Cross-Origin Resource Sharing restricted to allowed origins |
Organizational Measures
| Measure | Implementation |
|---|---|
| Sub-processor agreements | Data Processing Agreements in place with all Sub-Processors |
| Data minimization | Only data necessary for service provision is collected and processed |
| Data retention | Automated deletion of audit logs after 7 days; expired tokens auto-deleted; billing records retained as required by applicable tax law (up to 7 years) |
| Subscription audit trail | Every plan change, status transition, payment, refund, and administrative action recorded as an append-only event row with actor type, actor identifier, and reason |
Annex III — List of Sub-Processors
The Controller authorizes the Processor to engage the following Sub-Processors:
| Sub-Processor | Country | Purpose | Data Transferred |
|---|---|---|---|
| Google Cloud Platform | USA | Infrastructure hosting, database, cache | All Personal Data (stored/processed in Service) |
| OpenAI, L.L.C. | USA | AI text analysis, summarization, vector embeddings, voice transcription (Whisper) | Feedback text content; audio recordings (transcription only; not retained); analysis prompts |
| Anthropic, PBC | USA | AI text analysis, summarization (alternative provider) | Feedback text content; analysis prompts |
| Lemon Squeezy | USA | Subscription billing (Merchant of Record), payment processing, invoice issuance, tax collection | User account data (name, email, billing address); subscription plan code; transaction amounts. Cardholder PAN/CVV are processed by Lemon Squeezy and its PCI-DSS certified payment processors and are never transmitted to or stored by the Processor. |
Notes:
- Sub-Processors are subject to change. The Processor will provide at least 30 days' prior notice of any changes (additions or replacements) via email notification.
- Feedback content is transmitted to OpenAI and/or Anthropic only when AI analysis features are used. If the Controller does not use AI analysis features, feedback content is not sent to these Sub-Processors.
- Audio recordings are transmitted to OpenAI Whisper API only for real-time transcription and are not retained by OpenAI beyond the API call (per OpenAI API data policy).
- Lemon Squeezy acts as the Merchant of Record for paid subscriptions. As MoR, Lemon Squeezy is the seller of record, collects and remits applicable VAT/GST/sales tax in their own name, and issues invoices to the Customer directly. The Processor records the subscription lifecycle and a denormalized invoice snapshot in its own database for audit, dispute resolution, and tax compliance. This snapshot is retained for the period required by applicable tax record-keeping law and survives Customer account erasure under GDPR Art. 17(3)(b).
Contact
For questions about this DPA: privacy@sofibia.com